
    
          
  
          

    
  
  
  
  

    
  
  
  
  
  
  
  
  

    
  
  
  
  

    
  
  
      
    
  
  
  

    

    
  
  
  
  

    
  
  
  

    
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  

    
  

    


    
    
    
    
    
    
    
    
  
  
        <!DOCTYPE html>  <html lang="en" itemscope itemtype="http://schema.org/WebPage">    <head>        <meta charset="UTF-8">    <meta http-equiv="X-UA-Compatible" content="IE=edge">    <meta name="viewport" content="width=device-width,initial-scale=1">                  
    
    
        <title>ELF_PLEAD - Linux Malware Used by BlackTech - JPCERT/CC Eyes | JPCERT Coordination Center official Blog</title>
    <meta name="description" content="In a past article, we introduced Linux malware ELF_TSCookie, which is used by an attack group BlackTech. This group also uses other kinds of malware that affects Linux OS. PLEAD module for Windows which we introduced before has its Linux...">
    <meta name="keywords" content="">
  
    
    
    
    
    

  
                      
    
    
        <meta property="og:type" content="website">
    <meta property="og:locale" content="en_US">
    <meta property="og:title" content="ELF_PLEAD - Linux Malware Used by BlackTech - JPCERT/CC Eyes">
    <meta property="og:url" content="https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html">
    <meta property="og:description" content="In a past article, we introduced Linux malware ELF_TSCookie, which is used by an attack group BlackTech. This group also uses other kinds of malware that affects Linux OS. PLEAD module for Windows which we introduced before has its Linux...">
    <meta property="og:site_name" content="JPCERT/CC Eyes">
    <meta property="og:image" content="https://blogs.jpcert.or.jp/en/.assets/thumbnail/elf_plead-fig1-800wi.png">
      
    
    
    
    
    

  
                      
    
    
        <meta name="twitter:card" content="summary_large_image">
        <meta name="twitter:title" content="ELF_PLEAD - Linux Malware Used by BlackTech - JPCERT/CC Eyes">
    <meta name="twitter:description" content="In a past article, we introduced Linux malware ELF_TSCookie, which is used by an attack group BlackTech. This group also uses other kinds of malware that affects Linux OS. PLEAD module for Windows which we introduced before has its Linux...">
    <meta name="twitter:image" content="https://blogs.jpcert.or.jp/en/.assets/thumbnail/elf_plead-fig1-800wi.png">
  
    
    
    
    
    

  
                      
    
    
        <meta itemprop="description" content="In a past article, we introduced Linux malware ELF_TSCookie, which is used by an attack group BlackTech. This group also uses other kinds of malware that affects Linux OS. PLEAD module for Windows which we introduced before has its Linux...">
    <link itemprop="url" href="https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html">
    <link itemprop="image" href="https://blogs.jpcert.or.jp/en/.assets/thumbnail/elf_plead-fig1-800wi.png">
  
    
    
    
    
    

  
            <link rel="start" href="/en/">    <link rel="alternate" type="application/atom+xml" href="/en/atom.xml">        <link rel="stylesheet" href="/en/common/css/styles.css">    <link rel="shortcut icon" type="image/x-icon" href="/en/common/images/favicon.ico">    <link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.css" integrity="sha256-NuCn4IvuZXdBaFKJOAcsU2Q3ZpwbdFisd5dux4jkQ5w=" crossorigin="anonymous" />    <!--[if lt IE 9]>    <script src="//cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.3/html5shiv.min.js" integrity="sha256-3Jy/GbSLrg0o9y5Z5n1uw0qxZECH7C6OQpVBgNFYa0g=" crossorigin="anonymous"></script>    <script src="//cdnjs.cloudflare.com/ajax/libs/respond.js/1.4.2/respond.min.js" integrity="sha256-g6iAfvZp+nDQ2TdTR/VVKJf3bGro4ub5fvWSWVRi2NE=" crossorigin="anonymous"></script>    <![endif]-->              <!-- Global site tag (gtag.js) - Google Analytics -->
    <script async src="https://www.googletagmanager.com/gtag/js?id=UA-124034031-1"></script>
    <script>
      window.dataLayer = window.dataLayer || [];
      function gtag(){dataLayer.push(arguments);}
      gtag('js', new Date());

      gtag('config', 'UA-124034031-1');
    </script>
                
        <link rel="canonical" href="https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html" />

  
      </head>  <body class="page_english">              
    <!-- prepend body -->

  
            
  
  
        
    
    <header class="header  header--bottom">
    <div class="header__inner clearfix">
      <p class="header__logo">
        <a href="https://www.jpcert.or.jp/english/" target="_blank">
          <img class="header__logo__src" src="/en/common/images/header_logo.svg" width="198" height="66" alt="JPCERT/CC Eyes">
        </a>
      </p>
      <h1 class="header__title">
        <a class="header__title__link" href="/en/">JPCERT/CC Eyes</a>
      </h1>
      <h2  class="header__description">JPCERT Coordination Center official Blog</h2>
      <div class="header__lang">
        <p class="header__lang__cell-label">Language:</p>
        <div class="header__lang__cell-field">
          <select class="header__lang__switcher" onchange="location.href = this.value;">
            <option value="/ja/">日本語</option>
            <option selected value="/en/">English</option>
                      </select>
        </div>
      </div>
    </div>
  </header>

    


        
    
    
        
                  
    <section class="breadcrumb-navi">
      <div class="inner">
        <a href="/en/">Top</a>&nbsp;&gt;&nbsp;<a href="https://blogs.jpcert.or.jp/en/malware/">List of &ldquo;Malware&rdquo;</a>&nbsp;&gt;&nbsp;ELF_PLEAD - Linux Malware Used by BlackTech
      </div>
    </section>

        
        
  
    
    
    
    
    


        <div id="content" class="clearfix">

            <div id="main-wrapper">
        <main role="main">

                    
        
    <article id="entry-1627302" class="entry">

        
    
    
    
    <div class="entry-meta clearfix">

    <div class="entry-author">
      <figure>
        <a href="https://blogs.jpcert.or.jp/en/shu_tom/">
          <img src="https://movabletype.net/users/shu_tom/ENCORE_400x400.jpg" width="50" height="50" alt="朝長 秀誠 (Shusei Tomonaga)">
        </a>
      </figure>
      <p><a href="https://blogs.jpcert.or.jp/en/shu_tom/">朝長 秀誠 (Shusei Tomonaga)</a></p>
    </div>

    <div class="entry-date">
      <time datetime="2020-11-16T00:00:00+09:00">November 16, 2020</time>
    </div>

  </div>

    
    
    


        <h2 class="entry-title">ELF_PLEAD - Linux Malware Used by BlackTech</h2>

        
    
        
    

        
  
        
    

        
  
        <section class="entry-tags">
      <ul>

        
                    
                    
                    
        
                    
                    
                        
            <li>
              <a href="https://blogs.jpcert.or.jp/en/tags/blacktech/">BlackTech</a>
            </li>

                        
          
                    
        
      </ul>
    </section>
  


        
    
    
    <div class="entry-social-buttons  entry-social-buttons--before-content  clearfix">
    <ul>
      <li class="entry-social-twitter">
        <a href="https://twitter.com/share" class="twitter-share-button" data-text="ELF_PLEAD - Linux Malware Used by BlackTech" data-url="https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html" data-show-count="false"></a>
      </li>
      <li class="entry-social-mail">
        <a href="mailto:?subject=ELF_PLEAD%20-%20Linux%20Malware%20Used%20by%20BlackTech&amp;body=https%3A%2F%2Fblogs.jpcert.or.jp%2Fen%2F2020%2F11%2Felf-plead.html">Email</a>
      </li>
    </ul>
  </div>

    
    


        <section class="entry-content clearfix">
      <p>In a past article, we introduced Linux malware <a href="https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html" title="ELF_TSCookie" target="_blank">ELF_TSCookie</a>, which is used by an attack group BlackTech. This group also uses other kinds of malware that affects Linux OS. <a href="https://blogs.jpcert.or.jp/ja/2018/05/linopid.html" title="PLEAD module" target="_blank">PLEAD module</a> for Windows which we introduced before has its Linux version (ELF_PLEAD) as well. This article describe the details of ELF_PLEAD in comparison to <a href="https://blogs.jpcert.or.jp/en/2018/05/linopid.html" title="PLEAD module" target="_blank">PLEAD module</a>.</p>

<h3>Comparison between PLEAD Module and ELF_PLEAD</h3>

<p>ELF_PLEAD and PLEAD module share many parts of the code, and most of the functions including communication are similar. Figure 1 shows the comparison of the main functions of PLEAD module and ELF_PLEAD.</p>

<p><figure class="mt-figure mt-figure-center"><a class="mt-asset-link" href="https://blogs.jpcert.or.jp/en/.assets/elf_plead-fig1.png"><img src="https://blogs.jpcert.or.jp/en/.assets/thumbnail/elf_plead-fig1-500wri.png" width="500" height="247" alt="Code comparison of PLEAD module and ELF_PLEAD" class="asset asset-image at-xid-1619457 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/></a><figcaption>Figure 1: Code comparison of PLEAD module and ELF_PLEAD<br />(Left: PLEAD module / Right: ELF_PLEAD)</figcaption></figure></p>

<p>It is clear from the flow of processing that the two types of malware are quite similar. The next sections will describe the features of ELF_PLEAD from the following perspectives:</p>

<ul>
<li>Configuration</li>
<li>Communication protocol</li>
<li>Commands</li>
</ul>

<h3>Configuration</h3>

<p>ELF_PLEAD possesses its configuration with the size of 0x1AA. Figure 2 is an example of configuration. It contains information such as C&amp;C servers and an encryption key. (Please see Appendix A for the details of configuration.)</p>

<p><figure class="mt-figure mt-figure-center"><a class="mt-asset-link" href="https://blogs.jpcert.or.jp/en/.assets/elf_plead-fig2.png"><img src="https://blogs.jpcert.or.jp/en/.assets/thumbnail/elf_plead-fig2-500wri.png" width="500" height="339" alt="Configuration example" class="asset asset-image at-xid-1619459 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/></a><figcaption>Figure 2: Configuration example</figcaption></figure></p>

<p>The configuration is RC4-encrypted, and the 32-byte string right before the encrypted configuration is the encryption key itself. Figure 3 is an example of encrypted configuration and its key.</p>

<p><figure class="mt-figure mt-figure-center"><a class="mt-asset-link" href="https://blogs.jpcert.or.jp/en/.assets/elf_plead-fig3.png"><img src="https://blogs.jpcert.or.jp/en/.assets/thumbnail/elf_plead-fig3-500wri.png" width="500" height="402" alt="Encrypted configuration and encryption key class="asset asset-image at-xid-1619460 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/></a><figcaption>Figure 3: Encrypted configuration and encryption key</figcaption></figure></p>

<h3>Communication protocol</h3>

<p>While PLEAD module uses HTTP protocol to communicate with its C&amp;C servers, ELF_PLEAD uses its custom protocol. Besides the difference, the data format and the method for exchanging the encryption key are almost the same. Figure 4 describes the flow of communication that ELF_PLEAD performs.</p>

<p><figure class="mt-figure mt-figure-center"><a class="mt-asset-link" href="https://blogs.jpcert.or.jp/en/.assets/elf_plead-fig4.png"><img src="https://blogs.jpcert.or.jp/en/.assets/thumbnail/elf_plead-fig4-500wri.png" width="500" height="270" alt="Communication flow of ELF_PLEAD" class="asset asset-image at-xid-1619461 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/></a><figcaption>Figure 4: Communication flow of ELF_PLEAD</figcaption></figure></p>

<p>ELF_PLEAD exchanges a part of RC4 key at the time of first communication. After that, a RC4 key generated by the exchange will be used for the communication that follows. The data sent is RC4-encrypted and then LZO-compressed. (Please see Appendix B for the details of communication protocol.)</p>

<h3>Commands</h3>

<p>ELF_PLEAD is equipped with 5 command groups as follows. (Please see Appendix C for the details of command functions. The command number may vary in some samples.)</p>

<ul>
<li>CFileManager (group number 0): commands for operation on files</li>
<li>CFileTransfer (group number 1): commands for sending/receiving files</li>
<li>CRemoteShell (group number 2): commands for remote shell</li>
<li>CPortForwardManager (group number 3): commands for proxy mode</li>
<li>No name (group number 0xFF): commands for malware control</li>
</ul>

<p><figure class="mt-figure mt-figure-center"><a class="mt-asset-link" href="https://blogs.jpcert.or.jp/en/.assets/elf_plead-fig5.png"><img src="https://blogs.jpcert.or.jp/en/.assets/thumbnail/elf_plead-fig5-500wri.png" width="500" height="373" alt="Command group names" class="asset asset-image at-xid-1619462 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/></a><figcaption>Figure 5: Command group names</figcaption></figure></p>

<p>It is clear that the functions are almost the same as <a href="https://blogs.jpcert.or.jp/en/2018/06/plead-downloader-used-by-blacktech.html" title="PLEAD module" target="_blank">PLEAD module</a>.</p>

<h3>In closing</h3>

<p>It has been confirmed that BlackTech uses different kinds of malware including TSCookie, PLEAD and KIVARS, which target Linux OS as well as Windows OS. If such malware is found in your Windows environment, it is recommended to check your Linux environment as well.</p>

<p>Shusei Tomonaga <br />
(Translated by Yukako Uchida)</p>

<h4>Appendix A: ELF_PLEAD Configuration</h4>

<table>
<tbody>
<caption>Table A: Configuration</caption>
<tr>
<td style="background-color: #bdbdbd; width: 100px; text-align: center;">Offset</td>
<td style="background-color: #bdbdbd; width: 200px; text-align: center;">Description</td>
<td style="background-color: #bdbdbd; width: 400px; text-align: center;">Remarks</td>
</tr>
<tr>
<td style="text-align: center;">0x000</td>
<td>RC4 Key</td>
<td>Used for encrypting communication</td>
</tr>
<tr>
<td style="text-align: center;">0x004</td>
<td>ID</td>
<td></td>
</tr>
<tr>
<td style="text-align: center;">0x024</td>
<td>Port number 1</td>
<td></td>
</tr>
<tr>
<td style="text-align: center;">0x026</td>
<td>Port number 2</td>
<td></td>
</tr>
<tr>
<td style="text-align: center;">0x028</td>
<td>Port number 3</td>
<td></td>
</tr>
<tr>
<td style="text-align: center;">0x02A</td>
<td>C&C server 1</td>
<td></td>
</tr>
<tr>
<td style="text-align: center;">0x0AA</td>
<td>C&C server 2</td>
<td></td>
</tr>
<tr>
<td style="text-align: center;">0x12A</td>
<td>C&C server 3</td>
<td></td>
</tr>
</tbody>
</table>

<ul>
<li>Configuration format may vary in some samples.</li>
</ul>

<h4>Appendix B: Contents of data exchanged</h4>

<table>
<tbody>
<caption>Table B-1: Format of sent data</caption>
<tr>
<td style="background-color: #bdbdbd; width: 100px; text-align: center;">Offset</td>
<td style="background-color: #bdbdbd; width: 100px; text-align: center;">Length</td>
<td style="background-color: #bdbdbd; width: 500px; text-align: center;">Contents</td>
</tr>
<tr>
<td style="text-align: center;">0x00</td>
<td>4</td>
<td>RC4 Key (Key4)</td>
</tr>
<tr>
<td style="text-align: center;">0x04</td>
<td>4</td>
<td>Hash value</td>
</tr>
<tr>
<td style="text-align: center;">0x08</td>
<td>4</td>
<td>RC4 key (Key1)</td>
</tr>
<tr>
<td style="text-align: center;">0x0C</td>
<td>2</td>
<td>Length of data sent</td>
</tr>
<tr>
<td style="text-align: center;">0x0E</td>
<td>2</td>
<td>Length of data at offset 0x10 before compression</td>
</tr>
<tr>
<td style="text-align: center;">0x10</td>
<td>-</td>
<td>Encrypted data (RC4 +LZO) (See Table A-2 for details.)</td>
</tr>
</tbody>
</table>

<table>
<tbody>
<caption>Table B-2: Format of encrypted data</caption>
<tr>
<td style="background-color: #bdbdbd; width: 100px; text-align: center;">Offset</td>
<td style="background-color: #bdbdbd; width: 100px; text-align: center;">Length</td>
<td style="background-color: #bdbdbd; width: 500px; text-align: center;">Contents</td>
</tr>
<tr>
<td style="text-align: center;">0x00</td>
<td>2</td>
<td>0xFF</td>
</tr>
<tr>
<td style="text-align: center;">0x02</td>
<td>4</td>
<td>RC4 key (Key2)</td>
</tr>
<tr>
<td style="text-align: center;">0x06</td>
<td>-</td>
<td>Random data (at least 128 bytes)</td>
</tr>
</tbody>
</table>

<table>
<tbody>
<caption>Table B-3: Format of received data</caption>
<tr>
<td style="background-color: #bdbdbd; width: 100px; text-align: center;">Offset</td>
<td style="background-color: #bdbdbd; width: 100px; text-align: center;">Length</td>
<td style="background-color: #bdbdbd; width: 500px; text-align: center;">Contents</td>
</tr>
<tr>
<td style="text-align: center;">0x00</td>
<td>4</td>
<td>RC4 key (Key4)</td>
</tr>
<tr>
<td style="text-align: center;">0x04</td>
<td>4</td>
<td>Hash value</td>
</tr>
<tr>
<td style="text-align: center;">0x08</td>
<td>4</td>
<td>RC4 key (Key1)</td>
</tr>
<tr>
<td style="text-align: center;">0x0C</td>
<td>2</td>
<td>Length of data sent</td>
</tr>
<tr>
<td style="text-align: center;">0x0E</td>
<td>2</td>
<td>Length of data at offset 0x10 before compression</td>
</tr>
<tr>
<td style="text-align: center;">0x10</td>
<td>-</td>
<td>Encrypted data (RC4 +LZO) (See Table A-4 for details.)</td>
</tr>
</tbody>
</table>

<table>
<tbody>
<caption>Table B-4: Format of encrypted data in the received data</caption>
<tr>
<td style="background-color: #bdbdbd; width: 100px; text-align: center;">Offset</td>
<td style="background-color: #bdbdbd; width: 100px; text-align: center;">Length</td>
<td style="background-color: #bdbdbd; width: 500px; text-align: center;">Contents</td>
</tr>
<tr>
<td style="text-align: center;">0x00</td>
<td>2</td>
<td>0x01FF</td>
</tr>
<tr>
<td style="text-align: center;">0x02</td>
<td>4</td>
<td>RC4 key (Key3)</td>
</tr>
</tbody>
</table>

<h4>Appendix C: ELF_PLEAD commands</h4>

<table>
<tbody>
<caption>Table C-1: Commands without group name (group number 0xFF)</caption>
<tr>
<td style="background-color: #bdbdbd; width: 100px; text-align: center;">Value</td>
<td style="background-color: #bdbdbd; width: 400px; text-align: center;">Contents</td>
</tr>
<tr>
<td style="text-align: center;">4</td>
<td>Send random data</td>
</tr>
<tr>
<td style="text-align: center;">5</td>
<td>Reconnect</td>
</tr>
<tr>
<td style="text-align: center;">6</td>
<td>Restart</td>
</tr>
<tr>
<td style="text-align: center;">7</td>
<td>End</td>
</tr>
<tr>
<td style="text-align: center;">8</td>
<td>End</td>
</tr>
<tr>
<td style="text-align: center;">9</td>
<td>Change socket</td>
</tr>
<tr>
<td style="text-align: center;">11</td>
<td>Change C2 server</td>
</tr>
</tbody>
</table>

<table>
<tbody>
<caption>Table C-2: Commands for CFileManager (group number 0)</caption>
<tr>
<td style="background-color: #bdbdbd; width: 100px; text-align: center;">Value</td>
<td style="background-color: #bdbdbd; width: 400px; text-align: center;">Contents</td>
</tr>
<tr>
<td style="text-align: center;">32</td>
<td>Send list of files</td>
</tr>
<tr>
<td style="text-align: center;">37</td>
<td>Send file size, mode, timestamp</td>
</tr>
<tr>
<td style="text-align: center;">39</td>
<td>Change file name</td>
</tr>
<tr>
<td style="text-align: center;">41</td>
<td>Delete file/directory</td>
</tr>
<tr>
<td style="text-align: center;">43</td>
<td>Upload file</td>
</tr>
<tr>
<td style="text-align: center;">45</td>
<td>Execute file</td>
</tr>
<tr>
<td style="text-align: center;">49</td>
<td>Create directory</td>
</tr>
<tr>
<td style="text-align: center;">51</td>
<td>Move file</td>
</tr>
<tr>
<td style="text-align: center;">53</td>
<td>Delete directory</td>
</tr>
</tbody>
</table>

<table>
<tbody>
<caption>Table C-3: Commands for CFileTransfer (group number 1)</caption>
<tr>
<td style="background-color: #bdbdbd; width: 100px; text-align: center;">Value</td>
<td style="background-color: #bdbdbd; width: 400px; text-align: center;">Contents</td>
</tr>
<tr>
<td style="text-align: center;">64</td>
<td>Send file/directory information</td>
</tr>
<tr>
<td style="text-align: center;">67</td>
<td>Create directory</td>
</tr>
<tr>
<td style="text-align: center;">70</td>
<td>Download file</td>
</tr>
<tr>
<td style="text-align: center;">71</td>
<td>Send file information</td>
</tr>
<tr>
<td style="text-align: center;">75</td>
<td>Upload file</td>
</tr>
</tbody>
</table>

<table>
<tbody>
<caption>Table C-4: Commands for CRemoteShell (group number 2)</caption>
<tr>
<td style="background-color: #bdbdbd; width: 100px; text-align: center;">Value</td>
<td style="background-color: #bdbdbd; width: 400px; text-align: center;">Contents</td>
</tr>
<tr>
<td style="text-align: center;">80</td>
<td>Launch remote shell</td>
</tr>
</tbody>
</table>

<table>
<tbody>
<caption>Table C-5: Commands for CPortForwardManager (group number 3)</caption>
<tr>
<td style="background-color: #bdbdbd; width: 100px; text-align: center;">Value</td>
<td style="background-color: #bdbdbd; width: 400px; text-align: center;">Contents</td>
</tr>
<tr>
<td style="text-align: center;">96</td>
<td>Set up proxy</td>
</tr>
<tr>
<td style="text-align: center;">100</td>
<td>Connect proxy</td>
</tr>
<tr>
<td style="text-align: center;">102</td>
<td>Send proxy data</td>
</tr>
<tr>
<td style="text-align: center;">104</td>
<td>-</td>
</tr>
<tr>
<td style="text-align: center;">106</td>
<td>-</td>
</tr>
<tr>
<td style="text-align: center;">108</td>
<td>End proxy</td>
</tr>
</tbody>
</table>

<h4>Appendix D: C&amp;C server</h4>

<ul>
<li>mx.msdtc.tw</li>
</ul>

<h4>Appendix E: Malware hash value</h4>

<ul>
<li>5b5f8c4611510c11d413cb2bef70867e584f003210968f97e0c54e6d37ba8d8d</li>
<li>ca0e83440b77eca4d2eda6efd9530b49ffb477f87f36637b5e43f2e428898766</li>
</ul>

      

    </section>

        
    
    
    <div class="entry-social-buttons  entry-social-buttons--after-content  clearfix">
    <ul>
      <li class="entry-social-twitter">
        <a href="https://twitter.com/share" class="twitter-share-button" data-text="ELF_PLEAD - Linux Malware Used by BlackTech" data-url="https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html" data-show-count="false"></a>
      </li>
      <li class="entry-social-mail">
        <a href="mailto:?subject=ELF_PLEAD%20-%20Linux%20Malware%20Used%20by%20BlackTech&amp;body=https%3A%2F%2Fblogs.jpcert.or.jp%2Fen%2F2020%2F11%2Felf-plead.html">Email</a>
      </li>
    </ul>
  </div>

    
    


        
    
    
          
    <section class="entry-author-detail">
    <div class="entry-author-detail-header">
      <p class="title">Author</p>
    </div>

    <div class="entry-author-detail-body clearfix">
      <figure>
        <img src="https://movabletype.net/users/shu_tom/ENCORE_400x400.jpg" width="90" height="90" alt="朝長 秀誠 (Shusei Tomonaga)">
      </figure>
      <div class="entry-author-detail-body-text">
        <p class="name"><a href="https://blogs.jpcert.or.jp/en/shu_tom/">朝長 秀誠 (Shusei Tomonaga)</a></p>
        <div class="profile">
          <p>








































Since December 2012, he has been engaged in malware analysis and forensics investigation, and is especially involved in analyzing incidents of targeted attacks. Prior to joining JPCERT/CC, he was engaged in security monitoring and analysis operations at a foreign-affiliated IT vendor. He presented at CODE BLUE, BsidesLV, BlackHat USA Arsenal, Botconf, PacSec and FIRST Conference. JSAC organizer.


</p>
        </div>
      </div>
    </div>
  </section>

    
    
    


        
    
  

<!-- Feedback -->
<div id="fb" class="feedback feedback_noscript">
  <form name="feedback_form" id="feedback_form">
    <p class="title">Was this page helpful?</p>
    <div class="inner">
      <p class="select">
        <label><input name="is_useful" id="is_usefull_yes" value="yes" type="radio">Yes</label>
        <label><input name="is_useful" id="is_usefull_no" value="no" type="radio">No</label>
      </p>
      <p class="result"><span class='count'>0</span> people found this content helpful.</p>
    </div>
    <p class="title">If you wish to make comments or ask questions, please use this form.</p>
    <div class="inner">
      <p class="message">This form is for comments and inquiries. For any questions regarding specific commercial products, please contact the vendor.</p>
      <div class="container_a">
        <div class="container_b">
          <textarea name="free_text" id="free_text" cols="30" rows="3"></textarea>
        </div>
      </div>
      <p class="send_area">
        <span class="en_js_msg">please change the setting of your browser to set JavaScript valid.</span>
        <span class="loader" style="display:none"><img src="/en/common/images/fb_loader.gif" alt=""></span>
        <span class="thanks">Thank you!</span>
        <input class="button" type="button" disabled value="Send">
      </p>
    </div>
    <input name="redirect_to" id="redirect_to" value="" type="hidden">
    <input name="feedback_host" id="feedback_host" value="//ws.jpcert.or.jp/cgi-bin/" type="hidden">
    <input name="uri" id="uri" value="" type="hidden">
    <input name="token" id="token" value="" type="hidden">
  </form>
</div>
<!-- //-------- feedback --------------------->



    


        
    
      
    
                      <section class="relation-entrylist">
          <nav>
            <h1>Related articles</h1>
            <ul>
      
                            
              <li>
                <a href="https://blogs.jpcert.or.jp/en/2021/10/windealer.html" class="clearfix">
                  <figure>
                    <img src="https://blogs.jpcert.or.jp/en/.assets/thumbnail/windealer01_png_en-320wi.png" alt="Malware WinDealer used by LuoYu Attack Group" class="entry-thumbnail">
                  </figure>
                  <div class="detail">
                    <p class="title">Malware WinDealer used by LuoYu Attack Group</p>
                  </div>
                </a>
              </li>

                            
                
                            
              <li>
                <a href="https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html" class="clearfix">
                  <figure>
                    <img src="https://blogs.jpcert.or.jp/en/.assets/thumbnail/gh0sttimes-fig8-47276bfe-589fd11c-320wi.png" alt="Malware Gh0stTimes Used by BlackTech" class="entry-thumbnail">
                  </figure>
                  <div class="detail">
                    <p class="title">Malware Gh0stTimes Used by BlackTech</p>
                  </div>
                </a>
              </li>

                            
                
                            
              <li>
                <a href="https://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html" class="clearfix">
                  <figure>
                    <img src="https://blogs.jpcert.or.jp/en/.assets/thumbnail/lodeinfo3-fig2-320wi.png" alt="Further Updates in LODEINFO Malware" class="entry-thumbnail">
                  </figure>
                  <div class="detail">
                    <p class="title">Further Updates in LODEINFO Malware</p>
                  </div>
                </a>
              </li>

                            
                
                            
              <li>
                <a href="https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html" class="clearfix">
                  <figure>
                    <img src="https://blogs.jpcert.or.jp/en/.assets/thumbnail/lazarus3-fig2-320wi.png" alt="Operation Dream Job by Lazarus" class="entry-thumbnail">
                  </figure>
                  <div class="detail">
                    <p class="title">Operation Dream Job by Lazarus</p>
                  </div>
                </a>
              </li>

                            
                
                            
              <li>
                <a href="https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html" class="clearfix">
                  <figure>
                    <img src="https://blogs.jpcert.or.jp/en/.assets/thumbnail/quasar-fig16-320wi.png" alt="Attack Activities by Quasar Family" class="entry-thumbnail">
                  </figure>
                  <div class="detail">
                    <p class="title">Attack Activities by Quasar Family</p>
                  </div>
                </a>
              </li>

                            
                  </ul>
          </nav>
        </section>
            
    
    
    


        
    
    
    <section class="entry-navi">
    <div class="entry-navi-prev">
              <a href="https://blogs.jpcert.or.jp/en/2020/10/logontracer-1-5.html">Back</a>
          </div>
    <div class="entry-navi-home">
      <a href="/en/">Top</a>
    </div>
    <div class="entry-navi-next">
              <a href="https://blogs.jpcert.or.jp/en/2020/12/cna-2cna.html">Next</a>
          </div>
  </section>

    
    


  </article>



  

        </main>
      </div>

            
    <aside>

        
    <div class="google-search">
    <script>
      (function() {
        var cx = '004990004422359256493:nnhwqqlx864';
        var gcse = document.createElement('script');
        gcse.type = 'text/javascript';
        gcse.async = true;
        gcse.src = (document.location.protocol == 'https:' ? 'https:' : 'http:') +
            '//cse.google.com/cse.js?cx=' + cx;
        var s = document.getElementsByTagName('script')[0];
        s.parentNode.insertBefore(gcse, s);
      })();
    </script>
    <gcse:search></gcse:search>
  </div>



        
        <section id="side-categories" class="categorylist">
      <nav>
        <h1>Categories</h1>
        <ul>

          
                        
                                      <li>
                                  <span class="bullet" style="background-color: #6484c5"></span><a href="https://blogs.jpcert.or.jp/en/malware/">Malware</a>
                
                              </li>
            
                        
          
                        
                                      <li>
                                  <span class="bullet" style="background-color: #fca001"></span><a href="https://blogs.jpcert.or.jp/en/incident/">Incident</a>
                
                              </li>
            
                        
          
                        
                                      <li>
                                  <span class="bullet" style="background-color: #9ec700"></span><a href="https://blogs.jpcert.or.jp/en/event/">Event</a>
                
                              </li>
            
                        
          
                        
                                      <li>
                                  <span class="bullet" style="background-color: #009e9f"></span><a href="https://blogs.jpcert.or.jp/en/vulnerability/">Vulnerability</a>
                
                              </li>
            
                        
          
                        
                                      <li>
                                  <span class="bullet" style="background-color: #0172b6"></span><a href="https://blogs.jpcert.or.jp/en/security-technology/">Security Technology</a>
                
                              </li>
            
                        
          
                        
                                      <li>
                                  <span class="bullet" style="background-color: #a1017f"></span><a href="https://blogs.jpcert.or.jp/en/forensic/">Forensic</a>
                
                              </li>
            
                        
          
                        
                                      <li>
                                  <span class="bullet" style="background-color: #838383"></span><a href="https://blogs.jpcert.or.jp/en/other/">Other</a>
                
                              </li>
            
                        
          
                        
                        
                        
          
        </ul>
      </nav>
    </section>
  


        
        
            
            
            
    
            
            
            
    
            
            
            
    
            
            
            
    
            
            
            
    
            
            
            
    
            
            
            
    
            
                    <section id="side-tags" class="taglist">
          <nav>
            <h1>Tags</h1>

                          <ul>
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/python/">Python</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/conference/">Conference</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/datper/">Datper</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/chches/">ChChes</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/training/">Training</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/cybergreen/">Statistics and Indicator</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/tool/">Tool</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/blacktech/">BlackTech</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/logontracer/">LogonTracer</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/report/">Report</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/splunk/">Splunk</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/elasticstack/">ElasticStack</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/impfuzzy/">impfuzzy</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/volatility/">volatility</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/redleaves/">RedLeaves</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/plugx/">PlugX</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/darkhotel/">DarkHotel</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/banking-malware/">Banking malware</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/pacific-islands/">Pacific_Islands</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/csirt/">CSIRT</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/password/">Password</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/policy/">Policy</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/ddos/">DDoS</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/apt/">APT</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/trend/">Trend</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/africa/">Africa</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/securecoding/">SecureCoding</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/sysmonsearch/">SysmonSearch</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/jsac/">JSAC</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/iot/">IoT</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/iiot/">IIoT</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/quasar/">Quasar</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/lodeinfo/">LODEINFO</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/lazarus/">Lazarus</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/emotet/">Emotet</a>
                                  </li>

                                
              </ul>            
          </nav>
        </section>
      
            
      


        
      <div id="ranklet-10936"></div>
  


        
    
              <section id="side-members" class="memberlist">
        <nav>
          <h1>Authors</h1>
          <ul class="clearfix">
    
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/SHIKAPON/">
                  <img src="https://movabletype.net/users/SHIKAPON/matsu.png" alt="鹿野 恵祐 (Keisuke Shikano)" title="鹿野 恵祐 (Keisuke Shikano)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/sekiguchi/">
                  <img src="/en/common/images/default-userpic-90.jpg" alt="関口　晃弘 (Akihiro Sekiguchi)" title="関口　晃弘 (Akihiro Sekiguchi)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/reto/">
                  <img src="https://movabletype.net/users/reto/Q6VN1jSR_400x400.jpg" alt="衛藤 亮介 (Ryosuke Eto)" title="衛藤 亮介 (Ryosuke Eto)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/ikuya/">
                  <img src="https://movabletype.net/users/ikuya/profile_icon.png" alt="福本 郁哉（Ikuya Fukumoto）" title="福本 郁哉（Ikuya Fukumoto）" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/s-tanaka/">
                  <img src="/en/common/images/default-userpic-90.jpg" alt="田中 信太郎（Shintaro Tanaka） " title="田中 信太郎（Shintaro Tanaka） " width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/yutafuchikami/">
                  <img src="/en/common/images/default-userpic-90.jpg" alt="渕上侑汰（Yuta Fuchikami）" title="渕上侑汰（Yuta Fuchikami）" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/horata/">
                  <img src="/en/common/images/default-userpic-90.jpg" alt="洞田 慎一 (Shinichi Horata)" title="洞田 慎一 (Shinichi Horata)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/t.mizuno/">
                  <img src="/en/common/images/default-userpic-90.jpg" alt="水野 哲也 (Tetsuya Mizuno)" title="水野 哲也 (Tetsuya Mizuno)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/Moris/">
                  <img src="https://movabletype.net/users/Moris/森克宏01.jpg" alt="森　克宏(Katsuhiro Mori)" title="森　克宏(Katsuhiro Mori)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/shu_tom/">
                  <img src="https://movabletype.net/users/shu_tom/ENCORE_400x400.jpg" alt="朝長 秀誠 (Shusei Tomonaga)" title="朝長 秀誠 (Shusei Tomonaga)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/mochidai/">
                  <img src="https://movabletype.net/users/mochidai/ProfileJPG.jpg" alt="持永 大 (Dai Mochinaga)" title="持永 大 (Dai Mochinaga)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/moto/">
                  <img src="/en/common/images/default-userpic-90.jpg" alt="川崎 基夫 (moto kawasaki)" title="川崎 基夫 (moto kawasaki)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/kkomiyama/">
                  <img src="https://movabletype.net/users/kkomiyama/photo_sparky_small.jpg" alt="小宮山 功一朗 (Koichiro Sparky Komiyama)" title="小宮山 功一朗 (Koichiro Sparky Komiyama)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/teramoto/">
                  <img src="/en/common/images/default-userpic-90.jpg" alt="寺本 健悟(Kengo Teramoto)" title="寺本 健悟(Kengo Teramoto)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/masubuchi/">
                  <img src="https://movabletype.net/users/masubuchi/blog_image.png" alt="増渕 維摩(Yuma Masubuchi)" title="増渕 維摩(Yuma Masubuchi)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/hori-32tk/">
                  <img src="https://movabletype.net/users/hori-32tk/画像の貼り付け先_-2021-3-18-22-18.png" alt="堀 充孝（Mitsutaka Hori）" title="堀 充孝（Mitsutaka Hori）" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/kino/">
                  <img src="https://movabletype.net/users/kino/image-992ce083-832a-45c5-a3d8-5922b68506a7.jpg" alt="喜野 孝太(Kota Kino)" title="喜野 孝太(Kota Kino)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/uchida/">
                  <img src="https://movabletype.net/users/uchida/14190908.jpg" alt="内田 有香子 (Yukako Uchida)" title="内田 有香子 (Yukako Uchida)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/sajo/">
                  <img src="https://movabletype.net/users/sajo/Sajo0191031.jpg" alt="佐條 研(Ken Sajo)" title="佐條 研(Ken Sajo)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/Tomotaka/">
                  <img src="https://movabletype.net/users/Tomotaka/Tomotaka-Ito.jpg" alt="伊藤 智貴 (Tomo Ito)" title="伊藤 智貴 (Tomo Ito)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/tnakano/">
                  <img src="https://movabletype.net/users/tnakano/tapioka_square.jpg" alt="中野 巧 (Takumi Nakano)" title="中野 巧 (Takumi Nakano)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/shoko/">
                  <img src="/en/common/images/default-userpic-90.jpg" alt="中井 尚子（Shoko Nakai）" title="中井 尚子（Shoko Nakai）" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/retiree_blog/">
                  <img src="https://movabletype.net/users/retiree_blog/j_icon72_400x400.jpg" alt="JPCERT/CC" title="JPCERT/CC" width="50">
                </a>
              </li>
            
                        
          
                        
            
                        
              </ul>
        </nav>
      </section>
      
    


    
        
              <section id="side-monthly-archive" class="archivelist">
        <nav>
          <h1>Archives</h1>
          <ul>
    
                
        <li><a href="https://blogs.jpcert.or.jp/en/2021/">2021</a><small>20</small></li>

                
          
                
        <li><a href="https://blogs.jpcert.or.jp/en/2020/">2020</a><small>21</small></li>

                
          
                
        <li><a href="https://blogs.jpcert.or.jp/en/2019/">2019</a><small>18</small></li>

                
          
                
        <li><a href="https://blogs.jpcert.or.jp/en/2018/">2018</a><small>12</small></li>

                
          
                
        <li><a href="https://blogs.jpcert.or.jp/en/2017/">2017</a><small>17</small></li>

                
          
                
        <li><a href="https://blogs.jpcert.or.jp/en/2016/">2016</a><small>18</small></li>

                
          
                
        <li><a href="https://blogs.jpcert.or.jp/en/2015/">2015</a><small>20</small></li>

                
          
                
        <li><a href="https://blogs.jpcert.or.jp/en/2014/">2014</a><small>18</small></li>

                
          
                
        <li><a href="https://blogs.jpcert.or.jp/en/2013/">2013</a><small>7</small></li>

                
          
                
        <li><a href="https://blogs.jpcert.or.jp/en/2012/">2012</a><small>2</small></li>

                
          
                
        <li><a href="https://blogs.jpcert.or.jp/en/2011/">2011</a><small>8</small></li>

                
          
                
        <li><a href="https://blogs.jpcert.or.jp/en/2010/">2010</a><small>4</small></li>

                
              </ul>
        </nav>
      </section>
      


  </aside>



    </div>

        
    
    <footer class="footer">
    <div class="footer__inner">
      <div class="footer__information">
        <div class="footer__information__cell-logo">
          <p class="footer__information__logo">
            <a href="https://www.jpcert.or.jp/english/" target="_blank">
              <img style="margin-top:3px" class="footer__information__logo__src" src="/en/common/images/footer_logo.svg" width="188" height="48" alt="JPCERT Coordination Center">
            </a>
          </p>
        </div>
        <div class="footer__information__cell-company">
          <dl class="footer__information__company">
            <dt class="footer__information__company__name">JPCERT/CC</dt>
            <dd  class="footer__information__company__data">
              <address class="footer__information__company__data__address">8F Tozan Bldg, 4-4-2 Nihonbashi-Honcho, Chuo-ku, Tokyo 1030023 JAPAN</address>
              <p class="footer__information__company__data__tel">TEL: +81-3-6271-8901　FAX: +81-3-6271-8908</p>
            </dd>
          </dl>
        </div>
        <div class="footer__information__cell-navigation">
          <ul class="footer__information__navigation">
            <li class="footer__information__navigation__item"><a class="footer__information__navigation__link" href="https://blogs.jpcert.or.jp/en/privacy-policy.html" target="_blank">Privacy Policy</a></li>
            <li class="footer__information__navigation__item"><a class="footer__information__navigation__link" href="https://blogs.jpcert.or.jp/en/disclaimer.html" target="_blank">Disclaimer</a></li>
          </ul>
        </div>
      </div>
      <p class="footer__copyright">Copyright &copy; 1996-2021 JPCERT/CC All Rights Reserved.</p>
    </div>
  </footer>

    


  </body>
  </html>

    

              
        <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>

        <script src="/en/common/js/prototype.js"></script>
    <script src="/en/common/feedback/script.js"></script>

  
                              <script src="//tracker.iws.vc/v1/ranklet/s3/widgets/10936/widget.js" async defer></script>
      </body>  </html>        